fraud_reportswikiaorg-20200214-history
Pharmacy Express
Description |} Discussion 2011 Since end November 2010, there have been millions of spams containing links to the Pharmacy Express fraud pharmacy. The criminal nature of the fraud and proof of its false pretenses are clearly documented here. This operation used the "redirector" approach. The spammed link had a long, padded format, with extra words in it. Common words that were always present as a "fingerprint" were pfizer and viagra. For example * http://will.ulyh.pfizer.pillsdrx.ru * http://pfizer.viagra.sbynmori.humidiclc.ru These links in turn redirected to a "target" domain, to avoid the spammed links getting blacklisted as is common today. The spammer strategy was to hide the actual location of the pharmacy fraud web sites. Since anti-spam operations will also report the hosting IP address on which illegal web sites are running, this operation took measures to "bullet-proof" the IPs as well. The target web sites ran on a "fast-flux" or rapidly changing range of host locations. These were a botnet of machines that had been compromised and were running a "reverse proxy" program. The reverse proxy program was a small front-end program that tunnelled all requests for web pages to hidden back-end servers, providing another level of bullet-proofing. Anti-spam measures can involve # reporting and getting the spammed redirectors suspended (there are over 2500, and they add more daily) # reporting and getting the target site suspended (there are hundreds, and they change daily) # reporting and having the hosting IPs cleaned (botnet counts are in the millions) # locating, arresting and prosecuting the perpetrators of the Pharmacy Express fraud Looking at that that list, the last one is the only effective solution. Discussion 2010 The incidence of this scam increased remarkably in August/September 2010. Domain names followed a recognizable pattern, with domains registered in Russia, and widely spammed. The domains, however, redirected to target sites in order to avoid being detected and blacklisted in spam traps. Example - almedicshop.ru would redirect to fildrugs.com/medic/index.php Typical name for redirectors registered at REGRU-REG-RIPN were *almedicshop.ru *apmedicshop.ru *armedicshop.ru *aumedicshop.ru *bimedicshop.ru *ecmedicshop.ru *flmedicshop.ru *himedicshop.ru *hymedicshop.ru *medicshopai.ru *medicshopam.ru *medicshopan.ru *medicshopas.ru *medicshopce.ru *medicshopct.ru *medicshopgr.ru The target site was Domain Name: FILDRUGS.COM, Registrar: POWER BRAND SOLUTIONS LLC The November 2009 version sparked a new wave of spamming on Chinese .cn registered domains, embedding an iframe for the site justpfizershop.com. Sample redirection sites were jppyanpx.cn jwmubjve.cn xkftadba.cn cndrfvxq.cn svtjyblz.cn itvotozy.cn owjlarwg.cn nfetwode.cn slutluvf.cn The 2008/2009 version of PE sites started to be spammed in late-February of 2008 and as mentioned above they feature a totally different design. 2008 spam runs relied on Yahoo search redirections to penetrate spam whitelists and avoid blacklists. Spamming in 2007 for domains like lodrx.com, tedrx.com and similar, targeted Google's Gmail customers. Most were trapped by Gmail's spam detection and diverted to the spam folder. You may follow a discussion on PE at the Fight Back forum. Basic Summary PE is yet another illegal pharmacy website operation which claims to offer discounted pharmaceuticals to unsuspecting consumers. As with numerous other pharmacy spam operations, nearly every single claim on their website is 100% false. Their sites are not secure, you might not be sent anything after ordering on these sites, and among other things your credit card and possibly your identity may be stolen by these cyber-criminals. Sample of a PE Spam e-mail Subject: Re: PHxyjARMA Body: Hi, Vniagra 3, 35 Vnalium 1, 25 Cnialis 3, 75 Anmbien 2, 90 http://agnosti.22rx,com Important: Replace "," with "." in the above link -- Cedric stared at him. Harry saw some of the panic hed been feeling since Saturday night flickering in Cedrics gray eyes. Are you sure? Cedric said in a hushed voice. Another sample Hi, Economize 50% on Vaiagra Vaulium Ciualis http://www.tetrx-com Replace "-" with "." in the above link. Thats not the point! raged Mr. Weasley. You wait until I tell your mother Tell me what? said a voice behind them. Description of Operations The PE website is a typical pharmaceutical e-commerce site. They claim to offer generic versions of several prescription drugs including Viagra and Cialis. (As stated elsewhere, neither of those drugs have a generic version since as of this writing they are still protected by international patents.) In many ways this site is similar to the My Canadian Pharmacy family of sites in terms of products offered and pricing, so the reader is directed to read that entry for further basic details regarding the basics of the pharmaceuticals, ordering process, and claims. Most are either completely identical or very slightly different. As with My Canadian Pharmacy and numerous other illegal / fake pharmacy operations, nearly every single claim on the site is completely false. Their "How To Order" page outlines this series of steps and makes the same claim as MCP sites that "All orders are received via a secure server, to ensure that your sensitive information is kept private and to guarantee you peace of mind." As we will discover below: this is 100% false. Operator Identification It has been alleged for many years that the operator of PE is one Leo Kuvayev, head of a spamming organization known as BadCow and the pharma affiliate program Mailien. At this writing, Leo Kuvayev was the #2 spammer in the world according to the Spamhaus Rokso listing, second only to Alex Polyakov, who is linked to numerous articles in this wiki. Leo Kuvayev's [[ROKSO] Listing] In 2009 it was reported that Kuvayev was in prison awaiting trial on a charge of child molestation - http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK9179 PE has long been linked to the renowned criminal spamming gang known as Yambo Financials, which has ties to several criminal activities including child pornography and credit card fraud. Kuvayev also has ties to a group known as the "Pavka / Artofit" spam gang (Spamhaus ROKSO Link) who have further ties to all manner of illegal activity involving spam, viruses, Trojans, botnets, the creation and distribution of child and bestiality pornography, and of course money laundering and numerous other types of financial fraud. In August 2010, an anonymous blogger at lj.rossia.org/users/clonopay/ alleged that this Leo Kuvayev is the same Leonid Aleksandorovich Kuvayev (Леонида Александровича Куваева) jailed in Moscow on 50 counts of raping children from an orphanage. Independent reporter Brian Krebs, formerly a technology columnist for the Washington Post, confirmed numerous details. See also 2011 updates - the Sophos report and an article in the Moscow News, where Kuvayev has partly admitted to the charges of molesting orphan children. Website Claims The claims made on the PE sites are virtually identical to those made on most MCP websites, so it is recommended that the reader visit that entry for further details. It lists the same "supporters" (formerly including the appearance of the ubiquitous Better Business Bureau icon) and makes the same claims of security. All patently false. False pretenses Website Structure And Domain Names The PE site structure is slightly different from that of MCP sites, but in terms of user flow and captured data it is virtually identical. In the time period between November 2006 and January 2007 these sites underwent a structural and functional overhaul from the .NET infrastructure to a PHP / MySQL implementation. They similarly use public Unix servers to host their websites and images, as well as their DNS servers. One additional item that greatly separates this spam operation is its sophisticated use of extremely large botnets. In November, 2006, the security company "F-Secure" posted in their security blog about a recent discovery made while investigating the recent bout of "Warezov" botnet infections. (F-Secure Blog Entry) They noted that the infection Trojan for the Warezov virus was attempting to connect to a specific unpronounceable domain name: Once the downloader is executed on a computer, it connects to a download URL. A typical URL would be, for example: www6.vedasetionkderun.com/819/nt.exe or yuhadefunjinsa.com/chr/grw/lt.exe They made a direct connection between the virus distribution URL, the spamvertised URLs, and the website URLs for several PE websites. This is significant because literally every single PE domain at the time looked like that style of URL: http://www.waseruijingunhdefunkas.com/ http://www.keruijingendasunjasn.com/ http://www.qeuitiondekinjastunde.com/ http://www.wadefuntionkdeunhasbeitun.com/ etc... This had been the case with their domain names for close to three years, indicating a well-entrenched pattern of Windows virus infections, tied to automated domain registrations for PE specifically. Clearly their domain names are automatically named via some automated algorithm using word syllables in random sequence. On any given day, up to 100 such domains were being registered with multiple domain registrars via automated means. They all followed that structure. Recent Domains and sponsoring registrars Updated February 2019 Alpnames Limited bestordertop.com ARDIS-SU bestrxevents.su buyhouse.su deliverygroup.su discounthouse.su fastmarket.su grandsupply.su helpmaster.su lightaward.su lowpricestore.su luckstore.su marketportal.su onlinesale.su ordertrade.su saleshop.su shopkey.su sitceservice.su successinfo.su supportexpert.su sweetsale.su topportal.su Danesco Trading Ltd. vipsupportonline.com DOMAINSHOP-SU buycentr.su orderclub.su stocklife.su topprice.su Gransy s.r.o d/b/a subreg.cz hotsalestrade.com startnowtrade.com topmarketinfo.com NAUNET-SU masterbshop.su PN-SU directstore.su marketexpert.su mastersalehit.su realsaleinfo.su saleonline.su topmarkethot.su vipmarketweb.su REGRU-SU protopshop.su REGTIME-SU helptoday.su rxhouse365.su RU-CENTER mensformula.online trustmarket.name vippriceland.com Redirections Hijacked web sites These samples were spammed in mid October 2017 *http://commerch.com.br/refueling.html *http://comptech.dualtechhosting.com/hinged.html *http://death.s86.ru/materials.html *http://mmtlgua.eu.pn/screeches.html *http://silkscalp.perso.sfr.fr/pacified.html *http://www.pcc.com.ar/forefinger.html *http://www.welmas.ae/coexists.html *http://domen.lviv.name/forward.html *http://jvlv.demvar.lv/cursor.html *http://laspraderas.com.pe/professionals.html *http://oyun.gebze.org/specifications.html Each of these represented a legitimate web site which had been hijacked. An additional html file had been inserted in the server root directory containing code that linked to PE site medicvisd.ru which in turn redirecteds to medicksma.com Microsoft spaces.live.com Each spaces.live.com URL spammed provided a web page on Microsoft's abused service that redirected to one of a range of spam brands. Each brand represented an illegal web site that indulged in fraud and misrepresentation. It is strongly recommended that visitors do not provide their identity and credit card details on any of these sites. They are run by criminals who use credit cards to order domain names for spamming, or to sell stolen identities within their own "carding" community. PE is one of several brands targeted. Storm Trojan As at March 21, 2008, Storm Trojan infected machines were found to be redirecting to four different fake pharmacy sites using the format http://xxx.xxx.xxx.xxx/anything/ * PE * ED Express * United ED Meds * Canadian Pharmacy For PE, the redirection sites detected were daysidehomes.com flipsidesite.com thestarside.com sideeventsonline.com How to report this spam The Complainterator is configured to request removal of these fraudulent sites. Add a link to this page as evidence. Unrelated sites The legitimate Pharmacy Express Related sites thumb Refer to the captured screen image. In 2011, spammer affiliates who registered with the Mailien spamming program were presented with pharmacy operations to select from. These included *Canadian Pharmacy *ED Express *Pharmacy_Express --- Your Online Pharmacy In 2007: The same name servers were used to resolve both PE and Your Online Pharmacy sites. For example * ns0.pasdrtionkintungandesunjin.com * ns0.deryandsuikiontunhandes.com These were used to resolve access to * PE ** xrzu.com ** mudrx.com ** pudrx.com * Your Online Pharmacy ** 2211122.com ** dodrx.com ** kodrx.com ** gudrx.com ** xodrx.com Sharing the same IP Address * PE *ED Express *Viagra Express See: Category:Kuvayev family Category:Well-known Spam Category:Kuvayev family